{"id":19952,"date":"2024-02-25T10:02:17","date_gmt":"2024-02-25T10:02:17","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=19952"},"modified":"2024-02-25T10:02:17","modified_gmt":"2024-02-25T10:02:17","slug":"lockbit-is-back","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/lockbit-is-back\/","title":{"rendered":"LockBit is Back With New Claims and Victims"},"content":{"rendered":"<p>The story around LockBit ransomware takedown on February 19 continues to unfold. After almost a week of downtime and silence, the <strong>infamous gang is back online on a new Onion domain<\/strong>, boasting new hacks. To top it all off, an infamous LockBitSupp released a lengthy statement about what happened and what\u2019s next.<\/p>\n<h2>LockBit Ransomware is Back After Law Enforcement Takedown.<\/h2>\n<p>Following <a href=\"https:\/\/gridinsoft.com\/blogs\/lockbit-ransomware-taken-down\/\">the rough takedown<\/a> of all the Darknet sites that belong to LockBit ransomware, the gang representatives were mostly silent until February 24, 2024. At around 21:00 GMT, the chief of the cybercrime gang released <strong>a long PGP signed message<\/strong> with the explanation from the hackers\u2019 point of view. In it, they describe the supposed way they were hacked and the future of LockBit. <strong>Spoiler \u2013 not a lot will change<\/strong>, except for LockBitSupp promises to be less lazy.<\/p>\n<figure id=\"attachment_19954\" aria-describedby=\"caption-attachment-19954\" style=\"width: 737px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/lockbit-pgp-message.png\" alt=\"LockBit pgp message\" width=\"737\" height=\"488\" class=\"size-full wp-image-19954\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/lockbit-pgp-message.png 737w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/lockbit-pgp-message-300x199.png 300w\" sizes=\"auto, (max-width: 737px) 100vw, 737px\" \/><figcaption id=\"caption-attachment-19954\" class=\"wp-caption-text\">PGP signed message that LockBitSupp published on February 24<\/figcaption><\/figure>\n<p>For the way the law enforcement agencies managed to access the servers, the PHP vulnerability is named. <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-3824\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">CVE-2023-3824 vulnerability<\/a>, discovered back in August 2023, allows for remote code execution and received CVSS rating of 9.8\/10. Well-deserved, considering how popular PHP is; LockBitSupp even supposes that <a href=\"https:\/\/gridinsoft.com\/blogs\/alphv-ransomware-site-taken-fbi\/\">other threat actors<\/a> who were hacked recently <strong>suffered from this exact vulnerability<\/strong>.<\/p>\n<p>Also, the hacker supposes that the FBI could have access to the network for quite some time. The reason why law enforcement decided to pull the trigger is the publication of data leaked from Fulton County court, <strong>specifically documents regarding Donald Trump\u2019s court cases<\/strong>.<\/p>\n<div class=\"su-quote su-quote-style-default su-quote-has-cite\"><div class=\"su-quote-inner su-u-clearfix su-u-trim\">Had it not been for the election situation, the FBI would have continued to sit on my server waiting for any leads to arrest me and my associates, but all you need to do to not get caught is just quality cryptocurrency laundering. The FBI can sit on your resources and also collect information useful for the FBI, but do not show the whole world that you are hacked\u2026<\/p>\n<p>Why did it take 4 days to recover? Because I had to edit the source code for the latest version of PHP, as there was incompatibility.<span class=\"su-quote-cite\">LockBitSupp<\/span><\/div><\/div>\n<h2>LockBit Takedown Aftermath<\/h2>\n<p>So, <strong>what do we see almost a week past the takedown of LockBit<\/strong>? Law enforcement agencies dealt quite a damage to both the group image and hardware. The amount of leaked information, including decryption keys and data stolen from companies\u2019 networks seriously cuts the profits of the ransomware gang. And considering <a href=\"https:\/\/ssu.gov.ua\/en\/novyny\/sbu-spilno-z-pravookhorontsiamy-ssha-velykoi-brytanii-ta-yes-vykryla-mizhnarodne-uhrupovannia-khakerivvymahachiv\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">the detainments in Poland and Ukraine<\/a>, the leaks were not only about operational information \u2013 personal data of malware operators <strong>was also exposed to some extent<\/strong>.<\/p>\n<p>However, this was barely enough <a href=\"https:\/\/gridinsoft.com\/ransomware\/lockbit\">to force the LockBit gang to stop<\/a>. Sure, they are now starting from scratch, with only a few listings present on the reborn of their leak page. But they will carry on, taking the past mistakes into account. The individuals captured in Eastern Europe are unlikely to be affiliates \u2013 <strong>more probably just server administrators or money mules<\/strong>. LockBit\u2019s story keeps rolling, and I\u2019m pretty sure they have a couple of aces up their sleeves.<\/p>\n<p style=\"padding-top:15px;padding-bottom:15px;\"><a href=\"\/download\/antimalware\" rel=\"nofollow\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"\/blogs\/wp-content\/uploads\/2022\/07\/env02.webp\" alt=\"LockBit is Back With New Claims and Victims\" width=\"798\" height=\"336\" class=\"aligncenter size-full\" title=\"\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The story around LockBit ransomware takedown on February 19 continues to unfold. After almost a week of downtime and silence, the infamous gang is back online on a new Onion domain, boasting new hacks. To top it all off, an infamous LockBitSupp released a lengthy statement about what happened and what\u2019s next. LockBit Ransomware is [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":19955,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[649,55],"class_list":{"0":"post-19952","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-lockbit","9":"tag-ransomware"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/lockbit-phoenix.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/19952","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=19952"}],"version-history":[{"count":5,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/19952\/revisions"}],"predecessor-version":[{"id":19959,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/19952\/revisions\/19959"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/19955"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=19952"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=19952"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=19952"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}